10 Common Security Mistakes Businesses Make and How to Avoid Them
-
Upload
donald-hester -
Category
Technology
-
view
108 -
download
1
description
Transcript of 10 Common Security Mistakes Businesses Make and How to Avoid Them
10 Common Security Mistakes Businesses Make and How to Avoid Them
Donald E. HesterCISSP, MCT, MCSE, MCSA, MCDST, Security+, CTT+
Mistake # 1
Assuming nothing will happen or employees know what to do
Not having a security awareness program
How to avoid Don’t ignore security risks & noncompliance Security policy Security program
Mistake # 2
Not having Anti Virus software Not keeping it up-to-date
How to avoid Install Anti Virus Software on all machines Update Anti Virus signatures daily
Mistake # 3
Not keeping systems up-to-date Patch Management
How to avoid Vendor websites and notices Some vendors have automated tools
(e. g. Windows XP and Automatic Updates)
Mistake # 4
Be careful what you and your employees download Viruses and spyware System crashes, lost data, more spam, zombies,
illegal software and music
How to avoid Policies Training for employees Anti-Virus & Anti-Spyware software Technical Controls
Mistake # 5
Emailing confidential information unencrypted
How to avoid Policy and training for employees Don’t forget IM (Instant Messaging) Encrypt or don’t email confidential information
Mistake # 6
Not ensuring their network is secure
How to avoid Must have a firewall Training or certified installers & administrators Security Patches (Automatic Updates, Patch
Management) Harden your systems (Lock down the system) Give employees only needed access to do their jobs
Mistake # 7
Not securing wireless networks War-Walking or War-Driving
How to avoid NSA security guidelines for wireless If you use wireless ensure you have the highest
available security Get help, certified and trained installers
Mistake # 8
Not having a backup plan Disaster, destruction or hardware failure
How to avoid Backups & archiving Business continuity planning Document life cycle & retention policies Redundant systems, (includes UPS) SLA Service Level Agreements NIST SP 800-34
Mistake # 9
Not watching the information when it is out of your hands. Due diligence in 3rd party relationships
Vendors, Clients (HIPAA), Employees, Systems Integrators
How to avoid Disclosures due diligence Nondisclosure Agreements Check certifications & Back ground checks Remove confidential information when sending
computer in for repair or signed NDA
Mistake # 10
Forgetting about physical information Keeping confidential information on laptops, PDAs, and
removable media, Laptops stolen or destroyed
How to avoid No confidential client data on laptops that leave the building Encrypt files Keep backups of files while you are traveling Don’t forget physical security for laptops – most stolen item in
airports Shred client confidential information documents Consider the location of computers and environment they are in
Review
1. Start a security & loss prevention program
2. Keep up-to-date antivirus software
3. Keep systems & applications up-to-date
4. Be careful what you download
5. Be careful what you email and instant message
6. Secure your network with a firewall
7. Secure your wireless network
8. Make backups often & have redundancy
9. Be diligent with third parties
10. Remember physical security
General Guidance
If you need it, get help Find out what information needs to be confidential (Information
Asset Inventory) Make security a priority (security is part of loss prevention) Make security apart of every process Train every employee – have a security awareness program Keep up with new laws and regulations – vendors, trade
publications & insurance carriers Due diligence make sure the people who support your
information systems are certified Remember the technology industry is constantly changing
environment; security is a process not a goal
Reference Think Security First http://www.thinksecurityfirst.net/ Maze & Associates http://www.mazeassociates.com Donald Hester’s Site http://www.learnsecurity.org NIST Special Publications 800 Series http://csrc.nist.gov/publications/nistpubs/index.html ISO 17799 http://www.iso.org/ OECD Guidelines for Securing Information Systems AICPA / CCIA Trust Services Principles and Criteria (SysTrust and WebTrust) CNSS The Committee on National Security Systems http://www.nstissc.gov/html/library.html CobiT Management Guidelines http://www.isaca.org/ or http://www.itgi.org/ Information Security Management Handbook on CD-ROM, 2003 Edition NSA/CSS INFOSEC http://www.nsa.gov/isso/index.html Federal Financial Institutions Examination Council Guides and Catalogues
http://www.ffiec.gov/guides.htm Federal Trade Commission GLBA site http://www.ftc.gov/privacy/glbact/ &
http://www.ftc.gov/bcp/conline/pubs/buspubs/glbshort.htm CA Civil Code §1798.29 Personal Information Privacy Breach Disclosure Act (SB 1386 Signed into
law 2-12-02) CA Civil Code §1798.85 Personal Information Confidentiality (SB 168 Signed into law 10-11-01) Sarbanes-Oxley RFC 2196 Site Security Handbook GASSP Generally Accepted System Security Principles US ARMY, FM 3-19.30 Physical Security
http://www.adtdl.army.mil/cgi-bin/atdl.dll/fm/3-19.30/toc.htm